MCP Audit Docs

Policy Files

Apply suppressions, required controls, restricted paths, and custom organization policy checks.

Start Reading Open MCP Audit GitHub
On this page

Policy Files

Policy files let teams convert MCP Audit from a general scanner into an organization-specific gate.

Use a policy file with:

mcp-audit scan --path . --policy ./mcp-audit-policy.yaml
Policy Evaluation Flow Policies turn raw scanner findings into a repeatable team decision. Scan Findings tools, paths, auth Policy Engine blocked tools restricted paths baseline suppressions fail threshold Pass Warn Fail Keep policy decisions explicit, reviewed, and versioned with the repository.

Example Policy

version: "1"
fail_on: high
suppressions:
  - id: MCP080
    target: local-debug-tool
    reason: Allowed only in the local sandbox.
    expires: "2026-12-31"
blocked_tools:
  - run_shell
restricted_paths:
  - "~/.ssh"
allowed_registries:
  - ghcr.io
  - npmjs.com
require:
  auth_for_http: true
  pinned_packages: true
  tool_side_effect_labels: true
  no_hardcoded_secrets: true

Baselines

Use a baseline to suppress known findings while still reporting new issues:

mcp-audit scan --path . --baseline ./baseline.json

Baselines should be reviewed regularly. Each suppression should have a reason and an expiry date.

Baseline vs Suppression

ControlUse whenReview expectation
BaselineA team is adopting MCP Audit and needs to track known findings without blocking all work.Review at regular intervals and reduce over time.
SuppressionA specific finding is intentionally accepted for a defined reason.Include reason, owner, and expiry.
fail_onThe pipeline should block above a severity threshold.Align with branch protection and release policy.

Custom Rules

Custom YAML rules help teams flag organization-specific tool names, risky descriptions, command patterns, and registry usage.